Cyber Security News

A massive cyberattack hit Albania

Security Affairs - Mon, 07/18/2022 - 07:44
A synchronized criminal attack from abroad hit Albania over the weekend, all Albanian government systems shut down following the cyberattack.

Albania was hit by a massive cyberattack over the weekend, the government confirmed on Monday. A synchronized criminal attack from abroad hit the servers of the National Agency for Information Society (AKSHI), which handles many government services.

“In order to withstand these unprecedented and dangerous strikes, we have been forced to close down government systems until the enemy attacks are neutralized,” the Albanian National Agency for the Information Society (AKSHI) said in a statement.

Government services were all down on Monday after the cyber attack.

“Albania is under a massive cybernetic attack that has never happened before. This criminal cyber-attack was synchronized… from outside Albania,” the Council of Ministers said in a press release. “In order to not allow this attack to damage our information system, the National Agency of Information Society had temporarily shut down online services and other government websites.”

Most of the desk services for the population were interrupted, and only several important services, such as online tax filing, are still working because they are provided by servers not targeted in the attack.

Sali Berisha, a former PM and opposition leader, was critical of the cyber posture of its government.

“How did it it happen that the government ordered almost all important services to go through this website?’ Berisha asked. “How can such initiatives be undertaken while no professional policing against cyber crime is yet in place?.”

The Microsoft Jones Group International team is helping AKSHI to mitigate the effect of the attack and restore operations.

In December Albania’s prime minister Edi Rama apologized for the massive leak of personal records from a government database of state.

Exposed records include the personal identity card numbers, employment and salary data of some 637,000 people.

In April 2021 a similar incident exposed identity card records from a state database ahead of Albania’s parliamentary elections.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Albania)

The post A massive cyberattack hit Albania appeared first on Security Affairs.

Categories: Cyber Security News

Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems

The Hacker News - Mon, 07/18/2022 - 06:59
Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers (PLCs) and co-opt the machines to a botnet. The software "exploited a vulnerability in the firmware which allowed it to retrieve the password on command," Dragos security researcher Sam Hanson said. "Further, the software was a malware
Categories: Cyber Security News

Watch out for the CVE-2022-30136 Windows NFS Remote Code Execution flaw

Security Affairs - Mon, 07/18/2022 - 06:43
Researchers published an analysis of the Windows remote code execution vulnerability CVE-2022-30136 impacting the Network File System.

Trend Micro Research has published an analysis of the recently patched Windows vulnerability CVE-2022-30136 that impacts the Network File System.

CVE-2022-30136 is a remote code execution vulnerability that resides in the Windows Network File System, it is due to improper handling of NFSv4 requests.

A remote attacker can exploit this vulnerability by sending malicious RPC calls to a target server to achieve arbitrary code execution in the context of SYSTEM. Experts pointed out that the unsuccessful exploitation of this issue may trigger a crash of the impacted system.

CVE-2022-30136 – Windows Network File System Remote Code Execution Vulnerability
This CVSS 9.8 bug looks eerily similar to CVE-2022-26937 – an NFS bug patched last month and one we blogged about last week. This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS.” reads the description published by ZDI. “On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0. It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”

The NFS network file system protocol was originally developed by Sun Microsystems in 1984, it allows users to access remote file shares in the same way that the local file system is accessed.

The NFS protocol uses Open Network Computing (ONC) Remote Procedure Call (RPC) to exchange control messages. When ONC RPC messages are sent over TCP, they are prepended with a Fragment header structure that specifies the length of the message, a piece of information used by the receiver to distinguish multiple messages sent over a single TCP session.

Offset Size Description ------- ----- ---------------------------------- 0x0000 4 Fragment header, the highest bit is the last fragment flag, lower bits represent the fragment size = N 0x0004 N RPC Message

“A buffer overflow vulnerability exists in the Windows implementation of NFS. The vulnerability is due to incorrect calculation of the size of response messages. The server calls the function Nfs4SvrXdrpGetEncodeOperationResultByteCount() to calculate the size of each opcode response, but it does not include the size of the opcode itself.” reads the post published by Trend Micro researchers. ” This results in the size of the response buffer being too small by OP Count * 4 bytes. A corresponding buffer is allocated with OncRpcBufMgrpAllocate. When the response data is written to the buffer, the response data overflows.”

The experts pointed out that only NFS version 4 is vulnerable because it uses the OncRpcBufMgrpAllocate function.

“This bug was patched by Microsoft in June 2022 and assigned CVE-2022-30136. In their write-up, they also list disabling NFSv4.1 as a method to mitigate attacks. However, this could lead to a loss of functionality. Also, Microsoft notes the update to address this bug should not be applied unless the fix for CVE-2022-26937 is installed.” concludes the expers. “Applying both updates in the appropriate order is the best method to fully address these vulnerabilities.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-30136)

The post Watch out for the CVE-2022-30136 Windows NFS Remote Code Execution flaw appeared first on Security Affairs.

Categories: Cyber Security News

Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking

The Hacker News - Mon, 07/18/2022 - 01:02
Juniper Networks has pushed security updates to address several vulnerabilities affecting multiple products, some of which could be exploited to seize control of affected systems. The most critical of the flaws affect Junos Space and Contrail Networking, with the tech company urging customers to release versions 22.1R1 and 21.4.0, respectively. Chief among them is a collection of 31 bugs in the
Categories: Cyber Security News

Google is going to remove App Permissions List from the Play Store

Security Affairs - Sun, 07/17/2022 - 13:56
Google is going to remove the app permissions list from the official Play Store for both the mobile app and the web.

As part of the “Data safety” initiative for the Android app on the Play Store, Google plans to remove the app permissions list from both the mobile app and the web.

With the launch of the Data Safety section on Google Play, which will be mandatory for all apps in 1 week, it seems the app permissions list is going away in both the mobile app and the web.

— Mishaal Rahman (@MishaalRahman) July 13, 2022

In April, Google rolled out the new “Data safety” section for Android apps on the Play Store, the move aims at increasing transparency on the type of data being collected and shared with third parties and the purpose of their collection.

Developers are required to complete the Data safety section in Google Play section for their apps by July 20th.

“As app developers update their functionality or change their data handling practices, they will show the latest in the apps’ Data safety section.” reads the announcement published by Google in April.

Time is running out, the deadline is approaching, and Google is removing the permissions section from the official store.

With this deadline now approaching next week, the tech giant has moved to entirely remove the permissions section.

According to The Hackers News, which reported the news, many popular apps have yet to fill their Data Safety section, including Facebook, Instagram, WhatsApp, and Discord.

Stay tuned ….

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, App Permissions List)

The post Google is going to remove App Permissions List from the Play Store appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 374 by Pierluigi Paganini

Security Affairs - Sun, 07/17/2022 - 00:50
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box. Critical flaw in Netwrix Auditor application allows arbitrary code executionCISA urges to fix multiple critical flaws in Juniper Networks productsThreat actors exploit a flaw in Digium Phone Software to target VoIP serversTainted password-cracking software for industrial systems used to spread P2P Sality botExperts warn of attacks on sites using flawed Kaswara Modern WPBakery Page Builder AddonsHoly Ghost ransomware operation is linked to North KoreaRedAlert, LILITH, and 0mega, 3 new ransomware in the wild Mantis botnet powered the largest HTTPS DDoS attack in JuneThe new Retbleed speculative execution attack impacts both Intel and AMD chipsFormer CIA employee Joshua Schulte was convicted of Vault 7 massive leak
Microsoft published exploit code for a macOS App sandbox escape flaw
VMware fixed a flaw in vCenter Server discovered eight months agoQakbot operations continue to evolve to avoid detectionThree UEFI Firmware flaws found in tens of Lenovo Notebook modelsLarge-scale AiTM phishing campaign targeted +10,000 orgs since 2021The President of European Central Bank Christine Lagarde targeted by hackersFlaws in the ExpressLRS Protocol allow the takeover of dronesMicrosoft announced the general availability of Windows Autopatch featureCloud-Based Cryptocurrency mining attacks abuse GitHub Actions and Azure VMA fake job offer via LinkedIn allowed to steal $540M from Axie Infinity
Anubis Networks is back with new C2 server
BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in DemandsExperts warn of the new 0mega ransomware operationExperts demonstrate how to unlock several Honda models via Rolling-PWN attackFrench telephone operator La Poste Mobile suffered a ransomware attack

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 374 by Pierluigi Paganini appeared first on Security Affairs.

Categories: Cyber Security News

APT groups target journalists and media organizations since 2021

Security Affairs - Sun, 07/17/2022 - 00:44
Researchers from Proofpoint warn that various APT groups are targeting journalists and media organizations since 2021.

Proofpoint researchers warn that APT groups are regularly targeting and posing as journalists and media organizations since early 2021.

The media sector is a privileged target for this category of attackers due to the access its operators have to sensitive information that could be aligned with the interests of state actors.

The report published by Proofpoint focuses on the activities conducted by some APT actors linked to China, North Korea, Iran, and Turkey.

All the attackers have attempted to compromise the email and social-media accounts of the targets with phishing attacks, in some cases posing as journalists.

“As observed in Proofpoint data, targeting journalists’ work email accounts is by far the most seen locus of attack used by APT actors against this target set. It is important to note that journalists are communicating with external, foreign, and often semi-anonymous parties to gather information. This outreach increases the risk of phishing since journalists, often by necessity, communicate with unknown recipients more so than the average user.” reads the report published by Proofpoint “Verifying or gaining access to such accounts can be an entry point for threat actors for later stage attacks on a media organization’s network or to gain access to desired information.”

The lure emails and messages sent through the different platforms used political focus of interest for the recipients.

The campaigns uncovered by the researchers leveraged a variety of techniques, including malware to establish a foothold on the target network. The attackers also use web beacons for reconnaissance purposes.

Proofpoint tracked the activity of China-lined APT group TA412 (aka Zirconium) targeting US-based journalists. The nation-state actors used phishing emails containing web beacons such as tracking pixels, tracking beacons, and web bugs, embed a hyperlinked non-visible object within the body of an email.

Targeted US-based journalists were involved in inquiries in internal politics and national security and were covering topics aligned with the interests of Bejing.

The phishing messages used in the campaigns had subject lines pulled from recent U.S. news articles related to the political topics of interest at the time, including former President Donald Trump activities, the attack on the US Capitol Building, U.S. political movements related to China, and recently, the U.S. position on the ongoing invasion of Russia of Ukraine.

Proofpoint also observed another China-linked APT group, tracked as TA459, in late April 2022 targeting the employees at media organizations. The threat actors used emails containing a malicious Royal Road RTF attachment (acknowledge.doc) that, if opened, would drop the Chinoxy backdoor.

Web beacons, commonly referred to as tracking pixels, tracking beacons, or web bugs, embed a hyperlinked non-visible object within the body of an email that, when enabled, attempts to retrieve a benign image file from an actor-controlled server.

The experts also observed the North Korea-linked TA404 group, aka Lazarus, targeting a U.S.-based media organization in early 2022. The attackers used phishing messages with job offers as lures.

“This campaign aligned with that expected behavior. It started with reconnaissance phishing that used URLs customized to each recipient. The URLs impersonated a job posting with landing pages designed to look like a branded job posting site. If a victim interacted with the URL, which contained a unique target ID, the server resolving the domain would have received confirmation that the email was delivered, and the intended target had interacted with it.” continues the report. “This request also provides identifying information about the computer, or device, allowing the host to keep track of the intended target.”

Researchers also observed Turkish threat actors tracked as TA482 that regularly conducted credential harvesting campaigns against social media accounts of mostly US-based journalists and media organizations.

The report also details the activity of Iran-linked APTs, such as TA453, that targeted journalists and newspapers. Threat actors often posed as journalists themselves to spy on targets and harvest their credentials.

“Targeting journalists and media organizations is not novel. APT actors, regardless of their state affiliation, have and will likely always have a mandate to target journalists and media organizations and will use associated personas to further their objectives and collection priorities. From intentions to gather sensitive information to attempts to manipulate public perceptions, the knowledge and access that a journalist or news outlet can provide is unique in the public space.” concludes the report. “Targeting the media sector also lowers the risk of failure or discovery to an APT actor than going after other, more hardened targets of interest, such as government entities.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, journalists)

The post APT groups target journalists and media organizations since 2021 appeared first on Security Affairs.

Categories: Cyber Security News

Critical flaw in Netwrix Auditor application allows arbitrary code execution

Security Affairs - Sat, 07/16/2022 - 15:49
A vulnerability in the Netwrix Auditor software can be exploited to execute arbitrary code on affected devices.

Bishop Fox discovered a vulnerability in the Netwrix Auditor software that can be exploited by attackers to execute arbitrary code on affected devices.

Netwrix Auditor is a an auditing software that allows organizations to monitor their IT infrastructure, it is currently used by more than 11000 organizations worldwide.

The vulnerability is an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the vulnerable service.

“This issue is caused by an unsecured .NET remoting port accessible on TCP port 9004.” reads the advisory published by Bishop Fox. “An attacker can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor. Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.”

An attacker can exploit the flaw to achieve remote code execution on servers by submitting arbitrary objects to the application through this service.

The experts pointed out that Netwrix Auditor services would be running with a highly privileged account, which could lead to full compromise of the Active Directory environment.

“The ExploitRemotingService tool was then used to send the serialized object to the UAVRServer service over .NET remoting. The resulting exception was an indicator that the payload was executed successfully” continues the advisory.

“Since the command was executed with NT AUTHORITY\system privileges, exploiting this issue would allow an attacker to fully compromise the Netwrix server.”

Netwrix addressed the flaw with the release of the software verision 10.5 on June 6, 2022.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Netwrix Auditor)

The post Critical flaw in Netwrix Auditor application allows arbitrary code execution appeared first on Security Affairs.

Categories: Cyber Security News

CISA urges to fix multiple critical flaws in Juniper Networks products

Security Affairs - Sat, 07/16/2022 - 10:16
CISA urges admins to apply recently released fixes in Juniper Networks products, including Junos Space, Contrail Networking and NorthStar Controller.

CISA urges users and administrators to review the Juniper Networks security advisories page and apply security updates available for some products, including Junos Space, Contrail Networking and NorthStar Controller.

Threat actors can exploit some of these vulnerabilities to take over the affected system.

“Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the CISA’s advisory. “CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.”

The vendor addressed 31 critical vulnerabilities in Junos Space, the issues reside in multiple third-party products including nginx resolver, Oracle Java SE, OpenSSH, Samba, the RPM package manager, Kerberos, OpenSSL, the Linux kernel, curl, and MySQL Server.

The most severe flaw, tracked as CVE-2021-23017 (CVSS score 9.4) affects nginx resolver and can allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

The vendor also addressed multiple known vulnerabilities in CentOS 6.8, shipped with Junos Space Policy Enforcer prior to version 22.1R1.

“Policy Enforcer is a component of the Junos Space Security Director user interface, integrated with Sky ATP to provide centralized threat management and monitoring for software-defined secure networks.” reads the advisory. “These issues affect all versions of Juniper Networks Junos Space Policy Enforcer prior to 22.1R1.”

Juniper also fixed multiple critical vulnerabilities in Contrail Networking 21.4, some of them date back 2013. Multiple integer overflows in libgfortran, collectively tracked as CVE-2014-5044, can be exploited by remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.

Juniper also addressed a remote code execution issue, tracked as CVE-2021-23017, that affects its NorthStar Controller product and received a 9.4 CVSS score.

Remote attackers can trigger the issue to cause worker process crash or potentially, arbitrary code execution.

The good news is that Juniper SIRT is not aware of any malicious exploitation of the above issues.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Juniper Networks)

The post CISA urges to fix multiple critical flaws in Juniper Networks products appeared first on Security Affairs.

Categories: Cyber Security News

Threat actors exploit a flaw in Digium Phone Software to target VoIP servers

Security Affairs - Sat, 07/16/2022 - 09:14
Threat actors are targeting VoIP servers by exploiting a vulnerability in Digium’s software to install a web shell, Palo Alto Networks warns.

Recently, Unit 42 researchers spotted a campaign targeting the Elastix system used in Digium phones since December 2021. Threat actors exploited a vulnerability, tracked as CVE-2021-45461 (CVSS score 9.8), in the Rest Phone Apps (restapps) module to implant a web shell on VoIP servers. The attackers used the web shell to exfiltrate data by dropping additional payloads inside the target’s Digium phone software.

“As of this writing, we have witnessed more than 500,000 unique malware samples of this family over the period spanning from late December 2021 till the end of March 2022. The malware installs multilayer obfuscated PHP backdoors to the web server’s file system, downloads new payloads for execution and schedules recurring tasks to re-infect the host system.” reads the advisory published by Palo Alto Networks Unit 42. “Moreover, the malware implants a random junk string to each malware download in an attempt to evade signature defenses based on indicators of compromise (IoCs).”

The researchers observed a high volume of malicious traffic likely originating from more than 500,000 unique samples over the period spanning from mid-December 2021 till the end of March 2022. The traffic targets Digium open source Asterisk communication software for VoIP phone devices.

The malicious campaign has many similarities to the INJ3CTOR3 report detailed by Check Point Research in 2020 two years ago, experts speculate it could be a resurgence of this campaign

The attack chains start with a code retrieving a shell script dropper from a remote server, which, in turn, downloads and executes obfuscated PHP backdoor in multiple locations in the file system.

The PHP backdoor also creates several root user accounts and set up a scheduled task to maintain the persistence and re-infect the host system.

The malware supports arbitrary commands via the cmd request parameter along with built-in default commands that can allow operators to carry out malicious activities,

“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Digium Phones)

The post Threat actors exploit a flaw in Digium Phone Software to target VoIP servers appeared first on Security Affairs.

Categories: Cyber Security News

Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

The Hacker News - Sat, 07/16/2022 - 02:59
Following the launch of a new "Data safety" section for the Android app on the Play Store, Google appears to be readying to remove the app permissions list from both the mobile app and the web. The change was highlighted by Esper's Mishaal Rahman earlier this week. The Data safety section, which Google began rolling out in late April 2022, is the company's answer to Apple's Privacy Nutrition
Categories: Cyber Security News

Hackers Targeting VoIP Servers By Exploiting Digium Phone Software

The Hacker News - Sat, 07/16/2022 - 02:33
VoIP phones using Digium's software have been targeted to drop a web shell on their servers as part of an attack campaign designed to exfiltrate data by downloading and executing additional payloads. "The malware installs multilayer obfuscated PHP backdoors to the web server's file system, downloads new payloads for execution, and schedules recurring tasks to re-infect the host system," Palo
Categories: Cyber Security News

New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain

The Hacker News - Sat, 07/16/2022 - 01:07
Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices.  "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," Bishop Fox said in an
Categories: Cyber Security News

Tainted password-cracking software for industrial systems used to spread P2P Sality bot

Security Affairs - Fri, 07/15/2022 - 18:27
Dragos researchers uncovered a small-scale campaign targeting industrial engineers and operators with Sality malware.

During a routine vulnerability assessment, Dragos researchers discovered a campaign targeting industrial engineers and operators with Sality malware.

Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files.

The password recovery software is advertised as working against industrial systems from ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Vigor, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, and Weintek.

The attackers are attempting to infect industrial control systems (ICS) and create a botnet.

Dragos experts investigated an infection of DirectLogic PLCs from Automation Direct, they performed reverse engineering of the password cracking tool and discovered it did not crack the password at all, rather, it exploited a vulnerability in the firmware to retrieve the password on command. The password cracking software also acts as a dropper for the Sality P2P bot.

According to the experts, the tool successfully recovers Automation Direct’s DirectLogic 06 PLC password by connecting a Windows machine to the PLC over a serial connection.

Dragos researchers were also able to recover the password using the exploit over Ethernet, significantly increasing the severity of the flaw, tracked as CVE-2022-2003.

The CVE-2022-2003 was responsibly disclosed to Automation Direct and the vendor addressed it with the release of a firmware update.

The Sality P2P botnet is known to be involved in password cracking and cryptocurrency mining activities.

“Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes.” reads the advisory published by Dragos. “Sality employs process injection and file infection to maintain persistence on the host. It abuses Window’s autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives.”

The sample of the Sality malware employed in the attack analyzed by Dragos also drops clipboard hijacking malware, which checks the clipboard to hijack cryptocurrency wallet addresses.

The Sality malware uses a kernel driver to avoid detection, it also starts a service to identify processes associated with potential security products, and kill them.

“Dragos only tested the DirectLogic-targeting malware. However, initial dynamic analysis of a couple of other samples indicate they also contain malware. In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password “crackers.”” concludes the report. “Trojanized software is a common delivery technique for malware and has been proven effective for gaining initial access to a network.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Sality malware)

The post Tainted password-cracking software for industrial systems used to spread P2P Sality bot appeared first on Security Affairs.

Categories: Cyber Security News

5 Key Things We Learned from CISOs of Smaller Enterprises Survey

The Hacker News - Fri, 07/15/2022 - 12:05
New survey reveals lack of staff, skills, and resources driving smaller teams to outsource security. As business begins its return to normalcy (however “normal” may look), CISOs at small and medium-size enterprises (500 – 10,000 employees) were asked to share their cybersecurity challenges and priorities, and their responses were compared the results with those of a similar survey from 2021.
Categories: Cyber Security News

New Cache Side Channel Attack Can De-Anonymize Targeted Online Users

The Hacker News - Fri, 07/15/2022 - 11:22
A group of academics from the New Jersey Institute of Technology (NJIT) has warned of a novel technique that could be used to defeat anonymity protections and identify a unique website visitor. "An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website," the researchers said. "The attacker knows this
Categories: Cyber Security News

Experts warn of attacks on sites using flawed Kaswara Modern WPBakery Page Builder Addons

Security Affairs - Fri, 07/15/2022 - 10:33
Researchers spotted a massive campaign that scanned close to 1.6 million WordPress sites for vulnerable Kaswara Modern WPBakery Page Builder Addons.

The Wordfence Threat Intelligence team observed a sudden increase in attacks targeting the Kaswara Modern WPBakery Page Builder Addons. Threat actors are attempting to exploit an arbitrary file upload vulnerability tracked as CVE-2021-24284. The plugin has been closed, but developers haven’t addressed the issue that still impacts all versions of the plugin. An attacker can trigger the issue to upload malicious PHP files to a website using the vulnerable component, leading to code execution and potentially take over the site. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions.

The experts strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and installing an alternative because likely the plugin will never receive a security fix for this issue.

Wordfence solution is currently protecting over 1,000 websites that are using the plugin, but they estimate that the total number of websites that still have the plugin installed is between 4,000 and 8,000.

“We have blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.” reads the advisory published by Wordfence.”The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website.”” ”

Administrators could check if they have been targeted by the threat actors looking for the following query string in their logs:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

The researchers observed that the attack attempts originated from 10,215 IP addresses, most of them coming from ten IPs.

“Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory.” concludes the report. “This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website. The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WPBakery Page Builder)

The post Experts warn of attacks on sites using flawed Kaswara Modern WPBakery Page Builder Addons appeared first on Security Affairs.

Categories: Cyber Security News

Holy Ghost ransomware operation is linked to North Korea

Security Affairs - Fri, 07/15/2022 - 08:08
Microsoft researchers linked the Holy Ghost ransomware (H0lyGh0st) operation to North Korea-linked threat actors.

The Microsoft Threat Intelligence Center (MSTIC) researchers linked the activity of the Holy Ghost ransomware (H0lyGh0st) operation to a North Korea-linked group they tracked as DEV-0530.

The Holy Ghost ransomware gang has been active since June 2021 and it conducted ransomware attacks against small businesses in multiple countries. The list of victims includes manufacturing organizations, banks, schools, and event and meeting planning companies.

MSTIC linked DEV-0530 to another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). The researchers noticed that H0lyGh0st ransomware used custom tools created by the PLUTONIUM APT.

Like other operations, H0lyGh0st adopt a double extortion model threatening victims to publish their data in case they don’t pay the ransom. The group maintains an .onion site, which is used by the group to interact with their victims. The Holy Ghost ransomware appends the file extension .h0lyenc to filenames of encrypted files.

Microsoft researchers tracked the Holy Ghost ransomware as SiennaPurple (BTLC_C.exe), the experts noticed that early variants did not support many features compared to the most recent ones. Microsoft tracks the recent variants as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe), unlike the older ones they are written in Go language. The HolyRS.exe was first detected in October 2021, HolyLocker.exe in March 2022 and BTLC.exe in April 2022.

The SiennaBlue variant evolved over time by implementing multiple encryption options, string obfuscation, public key management, and support for the internet and intranet.

The threat actors asked victims to pay a ransom from 1.2 to 5 Bitcoins, allowing a negotiation of the amount. The analysis of the attackers’ wallet transactions shows that they failed to extort ransom payments from their victims.

“Based on geopolitical observations by global experts on North Korean affairs and circumstantial observations, Microsoft analysts assess the use of ransomware by North Korea-based actors is likely motivated by two possible objectives. The first possibility is that the North Korean government sponsors this activity.” concludes Microsoft. “To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses.However, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims than observed in DEV-0530 victimology. Because of this, it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.”

The report published by Microsoft also includes Indicators of compromise (IoCs) for this threat and recommendations to mitigate the threat.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Holy Ghost ransomware)

The post Holy Ghost ransomware operation is linked to North Korea appeared first on Security Affairs.

Categories: Cyber Security News

North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware

The Hacker News - Fri, 07/15/2022 - 06:22
An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021. The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a
Categories: Cyber Security News

RedAlert, LILITH, and 0mega, 3 new ransomware in the wild 

Security Affairs - Fri, 07/15/2022 - 03:26
Cyble researchers warn of three new ransomware operations named Lilith, RedAlert and 0mega targeting organizations worldwide.

Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega.

RedAlert (aka N13V) targets both Windows and Linux VMWare ESXi servers of target organizations. The name RedAlert comes after a string with the same name in the ransom note. Unlike other ransomware operations, RedAlert only accepts ransom payments in Monero.

RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. It appends a  “.crypt[Random number]” extension to the filenames of encrypted files.

The Lilith ransomware is written in C/C++ and targets 64-bit Windows systems. The malware appends the “.lilith” extension to the filenames of encrypted files. The threat actors behind this operation adopt a double extortion model.

“Upon execution, Lilith ransomware initially searches for a list of hardcoded processes in the file and terminates its execution if any of them are running on the target’s machine. This step ensures that these processes do not block access to the files to be encrypted.” reads the analysis published by Cyble. “The ransomware searches for files to encrypt on the local system by enumerating the file directories using FindFirstFileW() and FindNextFileW() API functions. It ignores the file extensions such as EXE, DLL, and SYS and excludes a list of directory and file names from the encryption process.”

The Lilith ransomware encrypts files using a set of cryptographic APIs and a random key generated locally.

The 0mega ransomware is also targeting organizations worldwide using a double-extortion model.

The ransomware operation has been active at least since May 2022 and already claimed to have breached multiple organizations.

Victims of the ransomware reported that the malware adds the .0mega extension to the encrypted file’s names and creates for each victim a customized ransom note named DECRYPT-FILES.txt.

The operators behind this ransomware in some cases included in the ransom note details on how to disclose the attack to business partners and trade associations in case the victim will not pay the ransom.

Source https://id-ransomware.blogspot.com/2022/05/0mega-ransomware.html

Like other ransomware gangs, the operators use a payment negotiation site hosted on the Tor network.

Victims can contact the operators via the negotiation site by uploading the ransom note dropped on their systems, obviously, the note includes a unique identifier.

“Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by TAs besides implementing the requisite security best practices and security controls. Ransomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost productivity. If the victim is unable or unwilling to pay the ransom, the TAs may leak or sell this data online, compromising sensitive user data for businesses and individuals and resulting in a loss of reputation for the affected organization(s).” concludes Cyble. “Throughout 2021 and 2022, we have observed record levels of ransomware activity. While notable examples of this are rebrands of existing groups, newer groups like LILITH, RedAlert, and 0mega are also proving to be potent threats.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post RedAlert, LILITH, and 0mega, 3 new ransomware in the wild  appeared first on Security Affairs.

Categories: Cyber Security News

Pages